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Abstract 

We study the problem of indexing irreducible polynomials over finite fields, and give the 
first efficient algorithm for this problem. Specifically, we show the existence of poly(n, log g)-size 
circuits that compute a bijection between {1,..., |S'|} and the set S of all irreducible, monic, 
univariate polynomials of degree n over a finite field Fg. This has applications in pseudoran¬ 
domness, and answers an open question of Alon, Goldreich, Hastad and Peralta |AGHP92] . 

Our approach uses a connection between irreducible polynomials and necklaces ( equivalence 
classes of strings under cyclic rotation). Along the way, we give the first efficient algorithm for 
indexing necklaces of a given length over a given alphabet, which may be of independent interest. 


1 Introduction 

For a finite field and an integer n, let S be the set of all irreducible polynomials in 1 variable over 
Fq of degree exactly n. There is a well known formula for jSI (which is approximately ^). We con¬ 
sider the problem of giving an efficiently computable indexing of irreduducible polynomials i.e., find¬ 
ing a bijection / : {1,... , 151} —)■ 5 such that f{i) is computable in time poly(log |5|) = poly(n log q). 
Our main result is that indexing of irreducible polynomials can be done efficiently given 0{n\ogq) 
advice. This answers a problem posed by Alon, Goldreich, Hastad and Peralta [AGHP92], and is 
the polynomial analogue of the the well-known problem of “giving a formula for the n-bit primes”. 
Note that today it is not even known (in general) how to produce a single irreducible polynomial 
of degree n in time poly(nlogg) without the aid of either advice or randomness. 

The main technical result we show en route is an efficient indexing algorithm for necklaces. Neck¬ 
laces are equivalance classes of strings modulo cyclic rotation. We give an poly(n log |S|)-time 
computable bijection g : {1, 2,..., \M\} M, where M is the set of necklaces of length n over the 
alphabet S. 
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1.1 The indexing problem 


We define an indexing of a finite set S' to be a bijection from the set IS"!} to S. Let us 

formalize indexing as a computational problem. Suppose that L is an arbitrary language over 
alphabet S and let L"" be the set of strings of L of length n. We want to “construct” an indexing 
function for each of the sets L"". Formally, this means giving an algorithm A which takes as 
input a size parameter n and an index j and outputs A^(j), so that the following properties hold 
for each n: 

• A'^ maps the set {1,... , |L"'|} bijectively to L"^. 

• If j > IL""! then A^{j) returns too large. 

An indexing algorithm is considered to be efficient if its running time is poly(n). 

A closely related problem is reverse-indexing. A reverse-indexing of L a bijection from L” to 
{1,..., |L”'|}, and we say it is efficient if it can be computed in time poly(n). 

We can use the above formalism for languages to formulate the indexing and reverse-indexing 
problems for any combinatorial structure, such as permutations, graphs, partitions, etc. by using 
standard efficient encodings of such structures by strings. 

1.2 Indexing, enumeration, counting and ranking 

Indexing is closely related to the well-studied counting, enumeration and ranking problems for 
L. The counting problem is to give an algorithm that, on input n outputs the size of L”". The 
enumeration problem is to give an algorithm that, on input n, outputs a list containing all elements 
of L'^. A counting or enumeration algorithm is said to be efficient if it runs in time poly(n) or 
|L”| • poly(n) respectively. 

Other important algorithmic problems associated with combinatorial objects include the ranking 
and unranking problems. For the ranking problem, one is given an ordering of L” (such as the 
lexicographic order) and the goal is to compute the rank (under this order) of a given element of 
L"'. For the unranking problem, one has to compute the inverse of this ranking map. It is easy to 
see that unranking algorithms for any ordering are automatically indexingmlgorithms, and ranking 
algorithms for any ordering are automatically reverse-indexing algorithm^. 

There is well developed complexity theory for counting problems, starting with the fundamental 
work of Valiant |Val79] . For combinatorial structures, counting problems are (of course) at the 
heart of combinatorics, and many basic identities in combinatorics (such as recurrence relations 
that express the number of structures of a particular size in terms of the number of such structures 
of smaller sizes) can also be viewed as giving efficient counting algorithms for these structures. 
The enumeration and ranking problems for combinatorial structures has also received a large 
amount of attention. See the books [NW781 IKS991 IRusO.ll lArnll] for an overview of some of 
the work on this topic. 

^ We use the terms indexing and reverse-indexing instead of the terms unranking and ranking to make an important 
distinction: in indexing and reverse-indexing the actual bijection between {1,..., |S'|} and S is of no importance 
whatsoever, but in ranking and unranking the actual bijection is part of the problem. We feel this difference is worth 
highlighting, and hence we introduced the new terms indexing and reverse-indexing for this purpose. Note that some 
important prior work on ranking/unranking distinguishes between these notions |MR01 |. 
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Counting and enumeration can be easily reduced to indexing: Given an indexing algorithm A we 
can compute \L'^\ by calling A^{j) on increasing powers of 2 until we get the answer ‘too large’ 
and then do binary search to determine the largest j for which A^{j) is not too large. Enumeration 
can be done by just running the indexing algorithm on the integers 1,2,... until we get the answer 

too large. 

Conversely, in many cases, such as for subsets, permutations, set partitions, integer partitions, 
trees, spanning trees, (and many many more) the known counting algorithms can be modified to 
give efficient indexing (and hence enumeration) algorithms. This happens, for example, when the 
counting problem is solved by a recurrence relation that is proved via a bijective proof. 

However, it seems that not all combinatorial counting arguments lead to efficient indexing algo¬ 
rithms. A prime example of this situation is when we have a finite group acting on a finite set, and 
the set we want to count is the set of orbits of the action. The associated counting problem can 
be solved using the Burnside counting lemma, and there seems to be no general way to use this to 
get an efficient indexing algorithm. 

This leads us to one of the indexing problems studied here: Fix an alphabet S and consider two 
strings x and y in TA to be equivalent if one is a rotation of the other, i.e. we can find strings 
such that X = x^x^ and y = x^x^ (here uv denotes the concatenation of the strings u and u). The 
equivalence classes of strings are precisely the orbits under the natural action of the cyclic group 
on S”. These equivalence classes are often called necklaces because if we view the symbols of 
a string as arranged in a circle, then equivalent strings give rise to the same arrangement. We are 
interested in the problem of efficiently indexing necklaces. We apply the indexing algorithm for 
necklaces to the problem of indexing irreducible polynomials over a finite field. 

1.3 Main results 

Our main result is an efficient algorithm for indexing irreducible polynomials. 

Theorem 1.1. Let q be a prime power, and let n >1 he an integer. Let Iq^n be the set of monic 
irreducible polynomials of degree n over Fg. 

There is an indexing algorithm for Lg^n, which takes 0{n log q) bits of advice and runs in poly(n, log q) 
time. 

We remark that it is not known today how to deterministically produce (without the aid of advice 
or randomness) even a single irreducible polynomial of degree n in time poly(nlogg') for all choices 
of n and q. Our result shows that once we take a little bit of advice, we can produce not just 
one, but all irreducible polynomials. For constant q, where it is known how to deterministically 
construct a single irreducible polynomial in poly(n) time without advice [Sho90a| . our indexing 
algorithm can be made to run with just poly(logn) bits of advice. 

Using a known correspondence |Gol69] between necklaces and irreducible polynomials over finite 
fields, indexing irreducible polynomials reduces to the problem of indexing necklaces. Our main 
technical result (of independent interest) is an efficient algorithm for this latter problem. 

Theorem 1.2. There is an algorithm for indexing necklaces of length n over the alphabet {1,..., q}, 
which runs in time poly(nlogg). 

Our methods also give an efficient reverse-indexing algorithm for necklaces (but unfortunately this 
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does not lead to an efficient reverse-indexing algorithm for irreducible polynomials; this has to do 
with the the open problem of efficiently computing the discrete logarithm). 

Theorem 1.3. There is an algorithm for reverse-indexing necklaees of length n over the alphabet 
{1,... ,q}, which runs in time poly(nlogq). 

The indexing algorithm for irreducible polynomials can be used to make a classical e-biased set 
construction from [AGHP9^ based on linear-feedback shift register sequences constructible with 
logarithmic advice (to put it at par with the other constructions in that paper). It can also be used 
to make the explicit subspace designs of |GK13] very explicit (with small advice). 

Agrawal and Biswas |AB03| gave a construction of a family of nearly-coprime polynomials, and 
used this to give randomness-efficient black-box polynomial identity tests. The ability to efficiently 
index irreducible polynomials enables one to do this even more randomness efficiently (using a small 
amount of advice). 

Similarly, the string fingerprinting algorithm by Rabin |Rab81| . which is based on choosing a 
random irreducible polynomial can be made more randomness efficient by choosing the random 
irreducible polynomial via first choosing a random index and then indexing the corresponding 
irreducible polynomial using our indexing algorithm. This application also requires a small amount 
of advice. 

As another application of the indexing algorithm for necklaces, we give a poly(n) time algorithm 
for computing any given entry of the A: x 2” generator matrix matrix or the (2” — fc) x 2"' parity 
check matrix of BCH codes for all values of the designed distance (this is the standard notion of 
strong explicitness for error-correcting codes). Earlier, it was only known how to compute this 
entry explicitly for very small values of the designed distance (which is usually the setting where 
BCH codes are used). 

1.4 Related Work 

There is an extensive literature on enumeration algorithms for combinatorial objects (see the books 
[E,us03l IKnuObl IKS991INW781 lArn n]). Some of these references discuss necklaces in depth, and 
some also discuss the ranking/unranking problems for various combinatorial objects. 

The lexicographically smallest element of a rotation class is called a Lyndon word, and much is 
known about them. Algorithmically, the problem of enumerating/indexing necklaces is essentially 
equivalent to the problem of enumerating/indexing Lyndon words. Following a long line of work 
IF.TK861 IFM7^ IBSMYW^ IDuv881 IBPM IRM [GR,S+nn| , we now know linear time enumeration 
algorithms for Lyndon words/necklaces. 

In |MMn4| and |Rusn3j . it was noted that the problem of efficient ranking/unranking of the lexico¬ 
graphic order on Lyndon words is an open problem. Our indexing algorithms in fact give a solution 
to this problem too: we get an efficient ranking/unranking algorithm for the lexicographic order 
on Lyndon words. 

Recent work of Andoni, Goldberger, McGregor and Porat [AGMPl^ studied a problem that may 
be viewed as an approximate version of reverse indexing of necklaces. They gave a randomized 
algorithm for producing short fingerprints of strings, such that the fingerprints of rotations of a 
string are determined by the fingerprint of the string itself. This fingerprinting itself was useful for 
detecting proximity of strings under misalignment. 
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Recent independent work : A preliminary version of this paper appeared as [KKS14] . At about 
the same time, similar results were published by Kociumaka, Radoszewski and Rytter |KRR14] . 
The work in these two papers was done independently. The papers both have polynomial time 
algorithms for indexing necklaces; the authors in |KRR14] exercised more care in designing the 
algorithm to obtain a better polynomial running time. Their approach to alphabets of size more 
than 2 is cleaner than ours. On the other hand, we put the results in a broader context and have 
some additional applications (indexing irreducible polynomials and explicit constructions). 

1.5 Organization of the paper 

The rest of the paper is organized as follows. We give the algorithm to index necklaces in Sec¬ 
tion [2j In Section [3l we use our indexing algorithm for necklaces to give an indexing algorithm 
for irreducible polynomials over finite fields. In Section U we give an application to the explicit 
construction of generator and parity check matrices of BCH codes. We conclude with some open 
problems in Section[5j In Appendixl^ we give an alternate algorithm for indexing binary necklaces 
of prime length. In Appendix |Bl we give some prelimary observations about the complexity theory 
of indexing in general. 


2 Indexing necklaces 

2.1 Strategy for the algorithm 


We first consider a very basic indexing algorithm which will inspire our algorithms. Given a 
directed acyclic graph D on vertex set V and distinguished subsets S and T of nodes, there is a 
straightforward indexing algorithm for the set of of paths that start in S and end in T: Fix an 
arbitrary ordering on the nodes, and consider the induced lexicographic ordering on paths (i.e. path 
P 1 P 2 ... is less than path Q 1 Q 2 ■ ■ ■ Pi < Qi where i is the least integer such that Pi 7 ^ Qi). Our 
indexing function will map the index j to the jth path from S' to T in lexicographic order. There 
is a simple dynamic program which computes for each node u, the number N{v) of paths from v to 
a vertex in T. Let vi,... ,Vr be the nodes of S listed in order. Given the input index j, we hnd the 
first source Vi such that the number of paths to T starting at nodes ui,..., Uj is at least j; if there 
is no such source then the index j is larger than the number of paths being indexed. Otherwise, Vi 
is the first node of the desired path, and we can proceed inductively by replacing the set S by the 
set of children of Vi. 

This approach can be adapted to the following situation. Suppose the set S we want to index is a 
set of strings of fixed length n over alphabet S. A read-once branching program of length n over 
alphabet S is an acyclic directed graph with vertex layers numbered from 0 to n, where ( 1 ) layer 
0 has a single start node, (2) there is a designated subset of accepting nodes at level n, and (3) 
every non-sink node has one outgoing arc corresponding to each alphabet symbol, and these arcs 
connect the node to nodes at the next level. For nodes v and w and alphabet symbol cr we write 
V —w to mean that there is an arc from v to w labelled by a. 

Such a branching program takes words from S” and, starting from the start node, follows the 
path corresponding to the word to either the accept or reject node. Given a read-once branching 
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program for S, there is a 1-1 correspondence between strings in S and paths from the start node 
to an accepting node. We can use the indexing algorithm for paths given above to index S. 

This suggests the following approach to indexing necklaces. For each equivalence class of strings 
(necklace) identify a canonical representative string of the class (such as the lexicographically 
smallest representative). Then build a branching program B which, given string y, determines 
whether y is a canonical representative of its class. By the preceding paragraph, this would be 
enough to index all of the canonical representatives, which is equivalent to indexing equivalence 
classes. 

In fact, we are able to implement this approach provided that q = 2 and n is prime (See appendix 
However, we have not been able to make it work in general. For this we need another approach, 
which still uses branching programs, but in a more involved way. 

First some notation. For a given string y, we write the string obtained from y after cyclically 
rotating it rightwards by i positions as Rot*(y). We define Orbit(y) to be the set containing y and 
all its distinct rotations. Orbit(y) will also be referred to as the equivalence class of y. A string y is 
said to be periodic with period p if it can be written as yi‘^ for some yi € and q = ^. A string is 
said to have fundamental period p if it is periodic with period p and not periodic with any period 
smaller than p. We will denote the fundamental period of a string y by FP(y). Note that for any 
string y, |Orbit(y)| = FP(y). 

If E is an orbit and a: is a string, we say that E < x \i E contains at least one string y that is 
lexicographically less than x. (Notice that under our definition, if x and y are strings then we might 
have both that the orbit of x is less than y and the orbit of y is less than x). 

Let t be the total number of orbits. Let Cx be the set of orbits that are less than x. Our main goal 
will be to design an efficient algorithm which, given string x, returns \Cx\- We now show that if we 
can do this then we can solve both the indexing and reverse indexing problems. 

For the indexing problem, we want a 1-1 function that maps j G {1,... , t} to a string so that all 
of the image strings are in different orbits. The map will be easily computabile given a subroutine 
for \Cx\. 

Define the minimal representative of an orbit to be the lexicographically least string in the orbit. 
Let < • • • < y* denote the minimal representatives in lex order. Our map V’ will map j to yL 
This clearly maps each index to a representative of a different orbit. 

It suffices to show how to compute V’(j)- Note that \Cx\ is equal to the number of y* that precede 
X, and is thus a nondecreasing function of x. Therefore, = y^ is equal to the lexicographically 
largest string with \Cx\ < j- Furthermore, since \Cx\ is a nondecreasing function of x, we can find 
^p{j) by doing binary search on the set of strings according to the value of \Cx\- 
Simiarly, we can solve the reverse indexing problem: given a string x we can find the index of the 
orbit to which it belongs by first finding the lexicographically minimal representative y* of its orbit 
and then computing \Cyi \ + 1. 

Lemma 2.1. To efficiently index and reverse index necklaces of length n over an alphabet S, it 
suffices to have an efficient algorithm that takes as input a string x gTT and outputs \Cx\- 

The next section gives our algorithm to determine \Cx\ fpr any input string x. 


6 


2.2 Computing \Cx\ 

Let us define: 

• Gx,p = [jE&C:c■.\E\=p^■ 

• Gx,<p = \Je&c^-.\e\ divides p^' 

In Section I2.2.2l we reduce the problem of computating of \Cx\ to the problem of computing \Gx,<p\ 
for various p. The main component of the indexing algorithm is a subroutine that computes \Gx,<p\ 
given a string x and an integer p. This subroutine works by building a branching program with 
7 jO(i) nodes, which when given a string y accepts if and only if (1) the orbit of y has size dividing 
p and (2) Orbit(y) < x. The quantity we want to compute, |Ga;,<p|, is therefore simply the number 
of y accepted by this branching program (which, as noted above can be computed in polynomial 
time via a simple dynamic program). 

2.2.1 Notation and Preliminaries 


Preliminaries: We state some basic facts about periodic strings without proof. 

Fact 2.2. Let y be a string of length n and let p be positive integer dividing n. Then, |Orbit(y)| = p 

n 

if and only if y has fundamental period p. In particular, y can be written as yiP for an aperiodic 
string yi € 

Fact 2.3. The fundamental period of a string is a divisor of any period of the string. 

In particular, the fundamental period of a string is unique. We denote the fundamental period of 
y by FP(?/). 


2.2.2 Reduction to computing \Gx,<p\ 

We begin with some simple transformations that reduce the computation of \Cx\ to the computation 
of |G'a;_<p| (for various p). 

Lemma 2.4. For all x G S"", 


ICx 


E 

y^Gx,<n 


1 

|Orbit(y)| 


E 

y^Gx,<7L 


1 

F^' 


Proof. For y € Gx,<n, Rot*(?/) G Gx,<n for every positive integer i. Note that there are exactly 
|Orbit(y)| distinct strings of the form RoT(y). Thus for any orbit E G Cx, we have '^y^E |Orblt(p)| ~ 
1. Therefore: ^ ^ 

^ |Orbit(?/)| ^ ^ |Orbit(y)| ^ 

□ 
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The sum on the right hand side can be split on the basis of the period of y. From Lemma 12.41 and 
Fact 12.21 we have the following lemma. 

Lemma 2.5. For all x G TF, 

ioi = E^ 

i\n 

So, to count \Cx\ efficiently, it suffices to compute \Gx,i\ efficiently for each i\n. Now, from the 
definitions, we have the following lemma. 

Lemma 2.6. For all x G YF, 

|Gx,<p| = 

i\p 

From the Mobius Inversion Formula (see Chapter 3 in [Stall] for more details), we have the following 
equality. 

Lemma 2.7. 

i\p 

Lemma [2 . 71 implies that it suffices to compute \Gx,<p\ efficiently for every divisor p of n. In the next 
few sections, we will focus on this sub-problem and design an efficient algorithm for this problem. 
We will first describe the algorithm when the alphabet is binary, and then generalize to larger 
alphabets. 

2.2.3 Computing |Ga;,<n| efficiently for the binary alphabet 


In this section, we will design an efficient algorithm that given a string x G {0, l}*^ computes |G 3 ;,<n|- 
On input x the algorithm will construct a branching program with the property that \Gx,<n\ is 
the number of accepting paths in the branching program. This number of accepting paths can be 
computed by a simple dynamic program as described at the beginning of Section 12.11 

Lemma 2.8. Given as input a branching program B of length n over alphabet Y, we can compute 
the size of the set of accepted strings in time poly(|i?|, logn). 

Proof. The number accepted strings is the number of paths from the start node to the accept node, 
and all such paths have length exactly n. Thus the number of accepted strings is the i,j entry in 
the power of the adjacency matrix of the graph, and can thus be computed in time polynomial 
in the size of the graph and logn (by repeated squaring). □ 

We now describe how to construct, for each fixed string x G {0,1}", a branching program Bx of 
size polynomial in n such that the strings accepted by Bx are exactly those in Gx,<n- Lemma 12.81 
then implies that we can compute \Gx,<n\ in time polynomial in n. 

For strings x, y, when is y<\^yG^l This happens and only if there exists an i G {1, 2,... , n — 1} such 
that yj = Xj for every j < i and Xj+i > yi+i- In the case of binary strings of length n, we must 
have Xj+i = 1 and = 0. 





Definition 2.9. The set of witnesses for x, denoted Lx, is defined by: 

Lx = {sO : si is a prefix of x} 

We can summarize the discussion from the paragraph above as follows: 

Observation 2.10. For x, y € {0,1}"", we have y<\exX if and only if some prefix of y lies in Lx- 

We will now generalize this observation to strings under rotation. For strings x, y, when is Orbit(?/) < 
X? Recall that Orbit(y) < x if for some y' E Orbit(?/), we have y'<\exX. From Observation I2.1UI we 
know that this happens if and only if some y' E Orbit(y) has some prefix w va. Lx- Rotating back to 
y, two situations can arise. Either y contains w as a, contiguous substring, or w appears as a “split 
substring” wrapped around the end of y. In the latter case, y has a prefix wi and a suffix W 2 such 
that W 2 Wi = w & Lx- 

Recall that Gx,<n is the set of y with Orbit(y) < x. Thus, y E Gx,<n if and only if it has a contiguous 
substring as a witness, or it has a witness that is wrapped around its end. Let us separate these 
two cases out. 

Definition 2.11. For a string x E {0, !}"■, 

G% <n = {y E {0, 1}” : y contains a string in Lx as a contiguous substring } 

Gf <n = {y E {0,1}"" : y has a prefix wi and suffix W 2 such that W 2 Wi E Lx} 

From the discussion in the paragraph above, we have the following observation: 

Observation 2.12. 

G.,<n = G^,<nUG-<„ 

The branching program Bx will be obtained by combining two branching programs Bf and Bff, 
where the first accepts the strings in Gf and the second accepts the strings in Gf Each layer 
j of the branching program Bx is the product of layer j of B^ and layer j of Bf} and we have arcs 
{v,v') — {w,w') when v v' and w w'. The accepting nodes at level n + 1 are nodes {v,v') 
where v is an accepting node of Bf. or v' is an accepting node of Bf}. The resulting branching 
program clearly accepts the set of strings accepted by B^ or Bf}. 

Note that the branching programs Bx produced by the algorithm are never actually “run”, but are 
given as input to the algorithm of Lemma 12.81 in order to determine |G 3 ;,<n|- 

For a set of strings W, we will use Prefix(kF) to denote the set of all prefixes of all strings in W 
(including the empty string e). Similarly, Suffix(kF) denotes the set of all suffixes of of all strings 
in W (including the empty string e). Similarly, we will use Substring(kF) for set of all contiguous 
substrings of strings in W. 

For a string r, Q{r) is the set of suffixes of r that belong to Prefix(L 2 ;). 

Constructing branching program Bx We now present an algorithm which on input x E 
{0, l}”',runs in time polynomial in n and outputs a branching program B^ that recognizes Lf- 

Definition 2.13. Branching program B^ 
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1. Nodes at level j are triples {j, s, b) where s G Prefix(L 2 ;) and b G {0,1}. (We want string s to 
he the longest suffix of ziZ 2 ■ ■ ■ Zj that belongs to Prefix(La:), and b = 1 iff ziZ 2 ■ ■ ■ Zj eontains 
a substring that belongs to L^.) 

2. The start node is (0, A, 0) where A is the empty string. 

3. The aceepting nodes {n,s,b) are those with 6 = 1. 

4- For j < n, the are out of nodes (j — l,s,6) labeled by alphabet symbol a is {j,s',b') where s' 
is the longest string in Q{sa) and b' = 1 if s' eontains a suffix in and otherwise b' = b. 

It is clear that the branching program can be constructed (as a directed graph) in time polynomial 
in n. It remains to show that it accepts those z that have a substring that belongs to (Lx)- 
Fix a string 2 : G {0,1}”. Let {j, sj, bj) be the jth vertex visited by the branching program on input 
2 . Note that Sj is a suffix of zi ... zj. Let hj be the index such that s = z^.. ... zj] if s is empty, 
we set hj = j + 1. For j between 1 and n let ij be the least index such that Zi. ... Zj belongs to 
Prefix(Lx) (so ij = j + 1 if there is no such string). Note that ij > ij-i since if Zi... Zj belongs to 
Prefix(Lx) so does Zi... Zj-i. 

The branching program is designed to make the following true: 

Claim 2.14. For j between 1 and n, hj = ij and bj = I if and only if a substring of zi... Zj belongs 
to Lx. 

The claim for bj = 1 implies that the branching program accepts the desired set of strings. 

Proof. The claim follows easily by induction, where the basis j = 0 is trivial. Assume j > 0. First 
we show that hj = ij. By induction hj-i = ij-i and by definition of hj and ij we have ij < hj. 
To show hj < ij, note that since ij > ij-i = hj-i, the string Zi. ... Zj is in Q{tj-ia) and so is 
considered in the choice of Sj and thus hj = ij. 

For the claim on bj, if 2 has no substring in Lx then bj remains 0 by induction. If 2 ; has a substring 
in Lx let Zi... Zk be such a substring with k minimum. Then by the claim on tk, h^ < i, and so 
Zi... Zk is a suffix of s^ and so 6^ = 1, and for all j > k, bj continues to be 1. □ 

Constructing branching program Bf( We now present an algorithm which on input x G 
{0,1}"",runs in time polynomial in n and outputs a branching program that accepts the set of 
strings 2 ; that have a nonempty suffix u and nonemtpy prefix v such that uv belongs to Lx. 

Definition 2.15. Branching program Bff 

1. Nodes at level j are triples {j,s,p) where p,s G Prefix(Lx). (String s will be the longest suffix 
of Z\Z 2 ■ ■ ■ Zj that belongs to Prefix(Lx) (as in Bf ) and p is the longest prefix of Z\Z 2 ■ ■ ■ Zj that 
belongs to Prefix(Lx). 

2. The start node is (0, A, A) where A is the empty string. 

3. The aceepting states are those states {n,s,p) such that p has a nonempty prefix p' and s has 
a nonempty suffix .s' sueh that s'p' G Lx. 
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For j < n, the arc out of state (j — l,s,p) labeled by alphabet symbol a is (j,s',p') where s' 
is the longest string in Q{sa) and p' = pa if |s| = j — 1 and pa € Prefix(L 2 ;) and p' = p 
otherwise. 

It is clear that the branching program can be constructed (as a directed graph) in time polynomial 
in n. It remains to show that it accepts Lf. 

Fix a string € {0,1}"'. Let (j, Sj,pj) be the jth node visited by the branching program on input 
z. Notice that sj is calculated the same way in Bf as in and so Sj is the longest suffix of zi ... zj 
that belongs to Prefix(L 2 ;). 

An easy induction shows that pj is the longest prefix of zi ... Zj belonging to Prefix(La;): Let k be 
the length of the longest prefix of z belonging to Prefix(La;). For j < k we have pj = zi... Zj and 
for j > k, Pj = zi... Zk- 

Finally, we need to show that the branching program accepts z if and only if z has a a nonempty 
suffix s' and z has a nonempty prefix p' such that s'p' G L^. If the program accepts then the 
acceptance condition and the fact that Sn is a suffix of z and pn is a prefix of z implies that z has 
the required suffix and prefix. Conversely, if 2 ; has such a prefix p' and suffix s', then they each 
belong to Prefix(La:). Since pn is the longest prefix of z belonging to Prefix(La:), p' is a prefix of pn 
and since Sn is the longest suffix of z belonging to Prefix(La;), s' is a suffix of tn- So the branching 
program will accept. 

Putting things together From the constructions, it is clear that the size of the branching 
programs Bf and B^ are polynomial in the size of Lx and hence polynomial in n = |x|. Moreover, 
by a product construction, we can efficiently construct the deterministic finite branching program 
Bx which accepts the strings accepted by Bff or Bx, which is Gx,<n- This observation, along with 
Lemma 12.81 implies the following lemma. 

Lemma 2.16. There is an algorithm which takes as input a string x in {0,1}"' and outputs the 
size of Gx,<n in time polynomial in n. 

2.2.4 Computing \Gx,<p\ efficiently 

In this section, we will show that for every p\n, we can compute the quantity \Gx,<p\ efficiently. 
The algorithm will be a small variation of our algorithm for computing |Ga;,<n| from the previous 

n 

section. Let p be a divisor of n with p < n. Every string y € Gx,<p is of the form ar for some 

IL 

a € {0,1}^, and every string in Orbit(y) is of the form (Rot*(a)) p , for some i < p. Let us write the 
string X as X 1 X 2 ■ ■ - xn where for each i, Xi is of length exactly p. We will now try to characterize the 

V 

72 

strings in Gx,<p. From the definitions, y = ap G Gx,<p if and only if there is a rotation 0 < i < p 

72 

such that (Rot*(a))p has a prefix in Lx- This, in turn, can happen if and only if there is an i < p 
such that one of the following is true. 

• Rot*(a) < xi in lexicographic order, or 

• there is j, 0 < j < ^, such that Rot*(a) = xi = X 2 = X 3 = ... = Xi and Rot*(a) < Xj+i 
in lexicographic order. 
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The strings y = ap for which a has a rotation which is less than xi in lexicographic order are 

n 

exactly the strings of the form cp with c G Gxi,<p- Via the algorithm of the previous subsection, 
there is a polynomial in n time algorithm which outputs a branching program recognizing Gxi,<p- 

n 

The only strings which satisfy the second condition are of the form cp , where c is a rotation of x\ 
and xi < Xj+i in lexicographic order. There are at most |Orbit(a:i)| such strings, and we can count 
them directly given x. 

This gives us our algorithm for computing \Gx,<p\'- 

Computing \Gx,<p\- 

Input: 

• Integers n,p such that p\n 

• A string x G {0,1}” 

Algorithm: 

1. Write X as X = xiX 2 ■ ■ ■ xr where \xi\ = pVi G 

2. Construct a branching program Ax^ such that L{Ax^) n {0,1}^ = Gxi,<p 

3. Let M be the number of strings of length p accepted by Ax-^ 

4. If there is an 0 < i ^ such that xi = X 2 = xs = ... Xi and xi < Xj+i in lexicographic order, 
and xi ^ L{AxPj, then output M + |Orbit(xi)|, else output M. 

From the construction in Section 12.2.31 and Lemma 12.161 it follows that we can construct Ax^ and 
count M in time polynomial in n. We thus have the following lemma. 

Lemma 2.17. For any divisor p of n and string x G {0,1}*, we can compute the size of the set 
Gx,<p in time poly(n). 

We now have all the ingredients for the proof of the following theorem, which is a special case of 
Theorem 11.21 when the alphabet under consideration is {0,1}. 

Theorem 2.18. There is an algorithm for indexing necklaces of length n over the alphabet {0,1}, 
which runs in time poly(n). 

Proof. The proof simply follows by plugging together the conclusions of Lemma 12.51 Lemma 12.61 
Lemma 12.71 Lemma 12.81 and Lemma 12.171 □ 

It is not difficult to see that the indexing algorithm can be used to obtain a reverse indexing 
algorithm as well and hence, we also obtain a special case of Theorem 11.31 for the binary alphabet. 

2.2.5 Indexing necklaces over large alphabets 

In this subsection we how to handle the case of general alphabets S (with |S| = g). A direct 
generalization of the algorithm for the case of the binary alphabet, where the set Lx is appropriately 
defined, will run in time polynomial in n and q. Our goal here is to improve the running time to 
polynomial in n and log q. 
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def 

The basic idea is to represent the elements in E by binary strings of length t = \log q]. Let 
Bin : E —> {0,1}* be an injective map whose image is the set T of lexicographically smallest 
strings in {0,1}*. Extend this to a map Bin : E*^ ^ {0,1}*” in the natural way. 

We now use the map Bin to convert our indexing/counting problems over the large alphabet E to a 
related problem over the small alphabet {0,1}. For x € E”, we have Bin(Rot*(x)) = Rot**(Bin(x)). 
For an orbit E C E” and x € {0,1}*”, we say F < x if some element z £ E satisfies Bin(z)<iexX. 
Let Cx be the set of orbits E C E” which are less than x. For each x € {0,1}*” and p \ n, define: 


1 . 


2 . 


G 


x,p 


U 

E<x,\E\=p 


Gx,<p ~ U 

E<x,\E\ divides p 


The following identity allows us to count Gx,<n'- 

|Ga;,<n| = \{y G {0,1}*” \y £T^,3i <n s.t. RoT*(y)<iexx}|. 

It is easy to efficiently produce a branching program such that L(Ao) Ll{0, !}*"■ = T"'. As we will 
describe below, the methods of the previous section can be easily adapted to efficiently produce a 
branching program Ax such that 

L{Ax) n (0, = {y £ (0, ly I < n s.t. RoT*(2/)<iexx}. 


The following lemma will be crucial in the design of this branching program. 

Lemma 2.19. Let y £ {0,1}*”. There exists i < n such that Rot**(y)<iexX if and only if at least 
one of the following events occurs: 

1 . there exists w £ Lx such that w appears as a contiguous substring of y starting at a coordinate 
j with j = 0 mod t (where the coordinates of x are 0,1,... , (tn — 1 )). 

2 . there exist strings wi,W 2 such that wiW 2 £ Lx, W 2 is a prefix ofy, wi is a suffix of y, and 
Itcil = 0 mod t. 

Given this lemma, the construction of Ax follows easily via the techniques of the previous subsec¬ 
tions. The main addition is that one needs to remember the value of the current coordinate mod 
t, which can be done by blowing up the number of states of the branching program by a factor t. 
Intersecting the accepted sets of Ax and Aq gives us our desired branching program which allows 
us to count \Gx,<n\- This easily adapts to also count |Ga:,<p| for each p \ n. 

We conclude using the ideas of Section [2.2.21 We can now compute \Gx,p\ for each x and each p \ n. 
From Lemma 12.51 Lemma 12.61 and Lemma 12.71 it follows that for every x, we can compute \Cx\ 
efficiently. We thus get our main indexing theorem for necklaces from Lemma l2.ll 

Theorem 2.20. There are poly(n, log \T,\)-time indexing and reverse-indexing algorithms for neck¬ 
laces of length n over E. 

Furthermore, there are poly(n,log |E|)-fime indexing and reverse-indexing algorithms for necklaces 
of length n over E with fundamental period exactly n. 
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3 Indexing irreducible polynomials 


In the previous section, we saw an algorithm for indexing necklaces of length n over an alphabet 
S of size g, which runs in time polynomial in n and logg. In this section, we will see how to use 
this algorithm to efficiently index irreducible polynomials over a finite field. More precisely, we will 
use an indexing algorithm for necklaces with fundamental period exactly equal to n (which is also 
given by the methods of the previous sections). 

Let g be a prime power, and let denote the finite field of q elements. For an integer n > 0, let 
Iq^n denote the set of monic, irreducible polynomials of degree n in Fg[T]. 

Theorem 3.1. For every q,n as above, there is an algorithm that runs in poly(n, log ( 7 ) time, takes 
0 {nlogq) bits of advice, and indexes Iq^n- 

Proof. To prove this theorem, we start by first describing the connection between the tasks of 
indexing necklaces and indexing irreducible polynomials. Let P{T) G Note that P{T) has 

all its roots in the field F^n. Let a G F^n be one of the roots of P{T). Then we have that 
a, o'?,..., ^ are all distinct, and: 

n—1 

P{T) = ll{T-a<i^). 

i=0 

Conversely, if we take a G F„n such that a,a‘^,... ,ofl are all distinct, then the polynomial 
= m4n. 

Define an action of on F*n as follows: for k £ Zn and a G (F^n)*, define: 

k[a] = . 

This action partitions F*n into orbits. By the above discussion, Iq^n is in one-to-one correspondence 
with the orbits of this action with size exactly n. Thus it suffices to index these orbits. 

Let <7 be a generator of the the multiplicative group (F^n)*. Define a map E : Zgn_i —>■ F*n by: 

E{a)=gr 

We have that Fi is a bijection. Via this bijection, we have an action of on Zgn_i, where for 
/c G Z„ and a G Zgn_i, 

k[a\ = q^ ■ a. 

Now represent elements of Zgn_i by integers in {0,1,... , ( 7 "' — 2}. Define S = {0,1,... , (7 — I}. For 
a G Zqn_i, consider its hase-q expansion G S"'. This gives us a bijection between hqr<._i and 

\ {('f “ 1) • • •) O' “ !)}• VIS’ this bijection, we get an action of Z^ on TP \ {(g — I,..., g — 1)}. 
This action is precisely the standard rotation action! 

This motivates the following algorithm. 

The Indexing Algorithm: 

Input: g (a prime power), n > 0, i G [|Fg^n|] 

Advice: 1. A description of F^ 

2. An irreducible polynomial E{T) G Fg[r] of degree n, whose root is a generator g of (F^n)* (a.k.a. 
primitive polynomial). 
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1. Let S = {0,1,..., g — 1}. 

2. Use i to index an necklace a G S”\{(g — l,g — — 1)} with fundamental period exactly 

n (via Theorem 12.200 . 

3. View a as the base q expansion of an integer a G {0,1,... , g" — 2}. 

4. Use F{T) to construct the finite field F^n and the element g G F*„. (This can be done by 
setting Vqn = ¥q[T]/F(T), and taking the class of the element T in that quotient to be the 
element g.) 

5. Set a = g°'. 

6. Set P(r) = nr=o(r-«'"*)• 

7. Output P{T). 

For constant q, this algorithm can be made to work with poly(logn) advice. Indeed, one can 
construct the finite field ¥gn in poly(g, n) time, and a wonderful result of Shoup |Sho90b| constructs 
a set of gP°h(iog»^) elements in one of which is guaranteed to be a generator. The advice is then 
the index of an element of this set which is a generator. □ 

4 Explicit Generator Matrices and Parity Check Matrices for BCH 
codes 

In this section, we will apply the indexing algorithm for necklaces to give a strongly explicit con¬ 
struction for generator and the parity check matrices for BCH codes. More precisely, we use the 
fact that our indexing algorithm is in fact an unranking algorithm for the lexicgraphic ordering on 
(lexicographically least representatives of) necklaces. 

BCH codes |MS78j are classical algebraic error-correcting codes based on polynomials over finite 
extension fields. They have played a central role since the early days of coding theory due to their 
remarkable properties (they are one of the few known families of codes that has better rate/distance 
tradeoff than random codes in some regimes). Furthermore, their study motivated many advances 
in algebraic algorithms. 

Using our indexing algorithm for necklaces, we can answer a basic question about BCH codes: we 
construct strongly explicit explicit generator matrices and parity check matrices for BCH codes. For 
the traditionally used setting of parameters (constant designed distance), it is trivial to construct 
generator matrices and parity check matrices for BCH codes. But for large values of the designed 
distance, as far as we are aware, this problem was unsolved. 

Let g be a prime power, and let n > 1 and 0 < d < g” — 1. The BCH code associated with these 
parameters will be of length q'^ over the held Fg, where the coordinates are identihed with the 
big held Fgn. Let: 

U = {(P(a))„eF,n I P{X) G Fgn[X],deg(P) < d, s.t. Va G Fgn,P(a) G Fg}. 

In words: this is the Fg-linear space of all Fgn-evaluations of Fg^-polynomials of low degree, which 
have the property that all their evaluations lie in Fg. In coding theory terminology, this is a subheld 
subcode of Reed-Solomon codes. 
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The condition that P{a) G for each a G F^n can be expressed as follows; 

P(X)« = PiX) mod X''" - X. 

Thus, if P{X) = then the above condition is equivalent to: 


d d 

= Y mod X''" - X, 

i=0 


which simplifies to: 

^iq mod ( 5 " — !) % • 

Thus; 

1. For every i, if ^ is the smallest integer such that iq^ mod (g” — 1) = f, then a* G Vg = {a G 
Fgn I a?" = a}, 

2. Specifying ai G automatically determines mod mod • • •) 

3. Qi can take any value in V^. 

This motivates the following choice of basis for BCH codes. Let X = {5 C {0,1,... , d} | i G 5 => (fg 
mod (g” — 1)) G S}. Let 0 : 5 , 1 ,..., 05,151 be a basis for Vi 5 | over Fg (note that when j \ n, we have 
that Ve = {a € Fgn | o”^ = 0 } is an Fg-linear subspace of Fgn of dimension i). For 5 G X, define 
ms = minje 5 f. For 5 G X and j G [IS'j], define: 

|S |-1 

Xsg(X) = Y mod (<?»-!)_ 

k=0 

It is easy to see from the above description that iPs,j)s£j^ j(£[n] fo^^ms an Fg basis for the BCH code 
V. Thus it remains to show that one can index the sets of X. 

If we write all the elements of 5 G X in base q, we soon realize that the S are precisely in one-to-one 
correspondence with those rotation orbits of E” (with E = {0, 1 ,.. . ,q — 1 }) where all elements of 
the orbit are lexicographically < some fixed string in E" (in this case the fixed string turns out 
to be the base q representation of the integer d). By our indexing algorithm for orbits, X can be 
indexed efficiently. Thus we can compute any given entry of a generator matrix for BCH codes. 
The parity check matrices can be constructed similarly. For a given designed distance d, one starts 
with d X FgTi matrix M whose i,a entry equals a*. Note that every d columns of this matrix form 
a van der Monde matrix; thus they are linearly independent over Fgn (and hence also over Fg). 
Define an equivalence ~ relation on [d] as follows; fi ~ 12 iff ^2 = H • mod (g” — 1) for some k. 
Now amongst the rows of M, for each equivalance class E C d, keep only one row from E (i.e., for 
some i G E, keep the f’th row of M and delete the j’th row for all j £ E \ {f}). The remarkable 
dimension-distance tradeoff of BCH codes is based on the fact that this operation, while it reduces 
the dimension of the ambient space in which the columns of this matrix lie, preserves the property 
that every d columns of this matrix are linearly independent over the small field Fg. This reduced 
matrix M is the parity-check matrix of the BCH code. 
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We now give a direct construction of the parity-check matrix M. Let = {^ C [q'^ — 1] | z G S 
iq € S}. For S G T, let ms = minjg^ i. Then the rows of M are indexed by those 5 € for which 
ms < d. The {S, a) entry of M equals . Writing all the integers of [q'^ — 1] in base (?, we see that 
the elements of J- are orbits of the action on S”, where S = {0,1,... , g — 1}. Furthermore, the 
S with ms < d are precisely those orbits which have some element lexicographically at most a given 
fixed element x (which in this case is the base q representation of d). By our indexing algorithm, 
the rows of M can be indexed efficiently, and hence each entry of the M can be computed in time 
poly(n), as desired. 


5 Open Problems 

We conclude with some open problems. 

1. Can the orbits of group actions be indexed in general? 

One formulation of this problem is as follows: Let G be a finite group acting on a set X, 
both of size poly(n). Suppose G and its action on X are given as input explicitly. For a 
finite alphabet S, consider the action of G on (by permuting coordinates according to 
the action on X). Can the orbits of this action be indexed? Can they be reverse-indexed? 

2. Let G be the symmetric group S'„. Consider its action on {0,1}1 2 1 ^ where G acts by permut¬ 
ing coordinates. The orbits of this action correspond to the isomorphism classes of n-vertex 
graphs. Can these orbits be indexed? 

More ambitiously, can these orbits be reverse-indexed? This would imply that graph isomor¬ 
phism is in P. 

3. It would be interesting to explore the complexity theory of indexing and reverse-indexing. 
Which languages can be indexed efficiently? Can this be characterized in terms of known 
complexity classes? 

In particular, it would be nice to disprove the conjecture: “Every pair-language L € P for 
which the counting problem can be solved efficiently can be efficiently indexed”. 
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A Alternative indexing algorithm for binary necklaces of prime 
length 

In this section we give another algorithm for indexing necklaces in {0,1}” in the special case where 

n is prime. 

For convenience, we will denote the n coordinates of {0,1}” by 0,1,... , n — 1, and identify them 

with elements of Z„. 
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Definition A.l. Let x G {0,1}"'. We say x is top-heavy if for every j, 0 < j < n: 


E 


/c=0 



>0 

n J 


In words: every prefix of x has normalized Hamming weight at least as large as the normalized 
Hamming weight of x. 

The next lemma by Dvoretzky and Motzkin [DM47] shows that every string has a unique top-heavy 
rotation. 

Lemma A. 2 f |DM47| I. Let n be prime. For each x G {0, !}"■ \ {0”, 1"'}, there exists a unique i, 
0 < i < n such that Rot*(x) is top-heavy. 

Proof. Define / : {0, !}"■ x N ^ M by: 

~ ^ (xk mod 

k=0 ^ 

Then the top-heaviness of x is equivalent to f{x,j) > 0 for all j G N. 

We make two observations: 


wt(x) \ 

n J 


1. If j = j' mod n, then f{x,j) = f{x,j'). This follows from the fact that: 


n—1 


E 




= 0 . 


2. For nonnegative integers j,i with j < n, we have: 

f{RoF{x),£) = f{x,j + i) - fix,j). 


Putting these two facts together, we get that: 

f{RoF{x),£) = f{x,{j+ £) mod n) - f{x,j). (1) 

Now fix X G {0, !}”■ \ {0”, 1”}. Define i G {0,1,... , n — 1} to be such that f{x, i) is minimized. By 
Equation ([H), we get that f{Rot\x),i) > 0 for all nonnegative integers i. This proves the existence 
of i. 

For uniqueness of i, we make two more observations: 

1- If fix,j) > fix,i), then 

fiRoF{x),n + i- j) = f{x,n + i) - /(x,j) = f{x,i) - f{x,j) < 0, 
and thus RoP(x) is not top-heavy. 
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2. If f{x,j) = f{x,j'), then j = j' mod n. To see this, first note that we may assume j < j'. 
Then: 


0 = f{x,j') - f{x,j) 


E 

k=j+l 


Xk mod n 


wt(x] 


n 


^ ^ Xk mod n j (j j) ' 
yk=j+l 


wt(x) 


n 


Thus, since the first term is an integer, we must have that {j' — j) ■ wt(x) must be divisible 
by n, and by our hypothesis on x, we have that j' = j mod n. 


Thus i G {0,1,..., n — 1}, for which Rot*(x) is top-heavy, is unique. 


□ 


The above lemma implies that each orbit E contains a unique top-heavy string. We define the 
canonical element of E to be that element. 

We now show that there is a branching program A such that L(A) n {0, precisely equals the 
set of top-heavy strings. By the discussion in the introduction, this immediately gives an indexing 
algorithm for orbits of E. 

How does a branching program verify top-heaviness? In parallel, for each £G{l,...,n — 1}, the 
branching program checks if condition Ci holds, where is: 

“VO <j<n,'^Xk> . 

k=0 

At the same time, it also computes the weight of x. At the final state, it checks if is true, x 

is top-heavy if and only if it is true. 

This completes the description of the indexing algorithm. 

We also know an extension of this approach that can handle n which have 0(1) prime factors. The 
key additional ingredient of this extension is a new encoding of strings that enables verification of 
properties like top-heaviness by automata. 


B Complexity of indexing 

In this section, we explore some basic questions about the complexity theory of indexing and reverse 
indexing. We would like to understand what sets can be indexed/reverse-indexed efficiently. 

The outline of this section is as follows. We first deal with indexing and reverse-indexing in a nonuni¬ 
form setting. Based on some simple observations about what cannot be indexed/reverse-indexed, 
we make some naive, optimistic conjectures characterizing what is efficiently indexable/reverse- 
indexable, and then proceed to disprove these conjectures. We then make some natural definitions 
for indexing and reverse-indexing in a uniform setting, and conclude with some analogous naive, 
optimistic conjectures. 
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B.l Indexing and reverse-indexing in the nonuniform setting 

By simple counting, most sets S C {0, !}"■ cannot be indexed or reverse-indexed by circuits of size 
poly(n). We now make two naive and optimistic conjectures: 

• If S C { 0 , !}”■ has a poly(n)-size circuit recognizing it, then there is a poly(n)-size circuit for 
indexing S. 

• If S' C {0,1}" has a poly(re)-size circuit recognizing it, then there is a poly(re)-size circuit for 
reverse-indexing S. 

Note that the simple observations about indexing made in the introduction are consistent with 
these conjectures. 

We now show that these conjectures are false (unless the polynomial hierarchy collapses). Assuming 
the conjectures, we will give S 4 algorithms to count the number of satisfying assignments of a given 
boolean formula (f>. By Toda’s theorem [Tod91] . this would imply that the polynomial hierarchy 
collapses. 

Let S C {0,1}*^ be the set of satisfying assignments of a given boolean formula cf) of size m {m > n). 
We know that S can be recognized by a circuit of size m (namely (j)). By the conjectures, there are 
circuits Ci and Cr of size poly(m) for indexing S and reverse-indexing S. We will now see that a 
S 4 algorithm can get its hands on these circuits, and then use these circuits to count the number 
of elements in S. 

Indexing Consider the S 4 algorithm that does the following on input (f). Guess a circuit C : 
{0,1}”' — 7 > {0,1}” U {“too large”} of size poly(m), and an integer AT < 2” and then verify the 
following properties: 

• for all i G [K], C{i) / too large and (f){C{i)) = 1. 

• for all i ^ [K], C{i) = too large. 

• for all X € {0,1}”, if ^{x) = 1, then there exists a unique i G \K] for which C{i) = x. 

If C = Cj, and K = |5|, then these properties hold. It is also easy to see that if all these properties 
hold, then C is an indexing circuit for S', and K = |S|. Thus the above gives a S 4 algorithm to 
compute |S|. 

Reverse-indexing Consider the S 4 algorithm that does the following on input (j). Guess a 
circuit C : {0,1}” —>■ {0,1}” U {“false”} of size poly(m), and an integer AT < 2” and then verify 
the following properties: 

• for all X G {0,1}”, either ((/>(x) = 1 and C{x) G [AT]) or {(j){x) = 0 and C{x) = false). 

• for all i G [A'], there exists a unique x G {0,1}” such that C{x) = i. 

If C = Cr, and A' = |S|, then these properties hold. It is also easy to see that if all these properties 
hold, then C is a reverse-indexing circuit for S, and K = |S|. Thus the above gives a S 4 algorithm 
to compute IS"!. 
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B.2 Indexing and reverse-indexing in the uniform setting 

We now introduce a natural framework for talking about indexing in the uniform setting. 

Let L C S* X S* be a pair-language. For x G S*, define = {y \ {x,y) G L}. An algorithm 
M{x,i) is said to be an indexing algorithm for L if for every x G S*, the function M{x, ■) is an 
indexing of the set L^- An algorithm M{x, y) is said to be a reverse indexing algorithm for L if for 
every x G S*, the function M{x,-) is a reverse indexing of the set L^- Indexing/reverse-indexing 
algorithms are said to be efficient if they run in time poly(|x|). 

We now make some preliminary observations about the limitations of efficient indexing/reverse¬ 
indexing. 

1. If L can be efficiently indexed, then the counting problem for L can be solved efficiently (recall 
that the counting problem for L is the problem of determining \Lx\ when given x as input. 
The counting problem can be solved via binary search using an indexing algorithm). 

2. If L can be efficiently reverse indexed, then L must be in P. Indeed, the reverse indexing 
algorithm M{x,y) immediately tells us whether {x,y) G L. 

In the absence of any other easy observations, we gleefully made the following optimistic conjectures. 

1. Every pair-language L G P for which the counting problem can be solved efficiently can be 
efficiently indexed. 

2. Every pair-language L £ P can be efficiently reverse indexed. 

Using ideas similar to those used in the nonuniform case, one can show that the latter of these 
conjectures is not true (unless the polynomial hierarchy collapses). However we have been unable 
to say anything interesting about the first conjecture, and we leave the conjecture that it is false 
as an open problem. 
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